Wednesday, December 3, 2003

Data protection laws

Wondering if anyone has any ideas on this: the UK has had its Data Protection Act for quite some time, and Canada’s Act is due to take effect on January 1, 2004. Both acts require a business that maintains contact information about an individual to have that individual’s consent.

So, hypothetically let’s say that ACME has Bob’s contact information. To comply with the acts, ACME asks Bob for his consent to store the info. Bob, being the curmudgeon that he is, says no. Reading the acts, it seems that the only thing ACME can do is remove Bob’s data from their system.

But let’s say that ACME hires a new salesperson (“Charlie”), and that person has Bob’s contact information in their Outlook contacts folder. Charlie syncs Outlook with ACME’s CRM system. Now Bob’s data is back in ACME’s database.

Isn’t the best way to comply with the law to maintain a database of contacts that don’t want to be in the database? And doesn’t that seem, uh, impossible?

It seems to me that both acts are designed with a consumer focus — namely, that they’re seeking to limit abuses of personal information among marketing organizations. It doesn’t appear that they anticipate the use of contact information in the normal course of business (in a business-to-business context)… which makes it problematic (at best) to know how one should attempt to comply with the laws. Anyone with more info on these topics than I care to comment?